Blog

Wireless Authentication Protocols

Written by Marshall Thompson | Oct 8, 2020 3:44:02 PM

Who doesn’t love Wi-Fi? Everybody uses it, and in today’s digital world there aren’t many places you can go where you won’t have access to it.

But how does it work?

“OKAY NERD, who cares how it works?! Just let me connect so I can check on my fantasy football team!”

It is important (but not required) to have a general understanding about how technology works to solve and avoid potential problems when they arise. Even a broad, simple understanding of the technology in place can greatly mitigate security risk and increase performance of personal/home and business networks.

Before we begin talking about the schemes and protocols used for wireless authentication, it is important to keep context in mind. Wireless authentication protocols can be implemented much differently for a personal/home network compared to a business network, and for good reason. There are trade-offs between security and accessibility on any network, and wireless network authentication isn't any different. Depending on what users are doing on the network and the probability of a security breach - which varies greatly between personal/home and business networks - will determine whether security or accessibility takes priority. This is the difference between a network being more secure, but a royal PITA to access and maintain versus being less secure but easier for everyone to access - even those who are technology-illiterate.

For simplicity, we can assume that a business network prioritizes security over accessibility because they care more about securing their intellectual property than whether an employee can check their fantasy football team on their phone in the break room. Alternatively, we can assume that a home network prioritizes accessibility over security because someone would rather share their Wi-Fi password with their guests than have to manage user accounts and additional infrastructure like a backend authentication server.

With that being said, let’s jump in.

Extensible Authentication Protocol (EAP)

The first protocol we will discuss is EAP (Extensible Authentication Protocol). EAP is more of a framework or scheme and is recommended for securing a business network. EAP is the Wi-Fi equivalent of Microsoft Kerberos. There are numerous variations of EAP but they all follow the same three-part model which includes a Supplicant, Authenticator and Authentication Server. In broad terms, a Supplicant here would be a client device (phone, laptop, IoT device) which makes a request to join a wireless network. This request is sent from the Supplicant (client device) to the Authenticator (the wireless access point). The Authenticator communicates between the Supplicant and the backend Authentication Server to verify credentials and either grant or deny access to the Wi-Fi network. In this case, the Supplicant user would have an account, which they authenticate with, and is verified by the backend authentication server. All users who authenticate to the Wi-Fi network will log the user's successful Supplicant device, which increases accountability.

 

Who should implement EAP?

Not every network should implement EAP. Even though it is the most secure wireless authentication protocol/scheme, it is often only seen in professional environments due to the configuration required and extra steps taken to authenticate and join the Wi-Fi network. As mentioned earlier, a business network will prioritize security over accessibility and inversely, a home network will prioritize accessibility over security. It would be uncommon to see a home network implement an authentication server and manage user accounts for different visiting friends or family members, when instead they could implement the PSK (Pre-Shared Key) authentication protocol.

Pre-Shared Key Protocol (PSK)

Wi-Fi networks which implement PSK do not require the additional infrastructure of an authentication server, nor do they institute user accounts for each connected device, but they do still require authentication.

Wi-Fi networks secured using a PSK are what we think of as the traditional Wi-Fi. We have all at one point asked “Hey, what’s your Wi-Fi password?” but very few of us have ever asked “what user account can I use for communicating with your authentication server?” This is the difference between a home network implementing PSK, versus a business network implementing EAP. Although they both require authentication credentials, the main difference here is that a Pre-Shared Key doesn’t require a username as well and authenticates directly with the Wi-Fi access point. This places higher importance on the strength of a Wi-Fi password.

EAP vs. PSK

When authenticating to Wi-Fi at home, a typical user only cares about being able to access the Wi-Fi network, and doesn’t care what authentication protocol is being used for establishing secure access. This ignorance is a mistake, because the protocol used for wireless authentication is very important to a network’s security. Regardless of the authentication scheme a network admin implements (EAP vs PSK), properly encrypted protocols are required to maintain secure communications between the client and the AP.

WEP (Wired Equivalent Privacy) is very old and degraded, and can be cracked easily by any script kiddie with a computer. WEP should be avoided at all costs! WPA (Wi-Fi Protected Access) was supposed to be the WEP fix, but over time vulnerabilities in WPA were found as well, degrading its credibility to no longer being recommended as the authentication protocol to use. WPA-2 (Wi-Fi Protected Access v2) was built to fix the vulnerabilities in WPA and can be used with TKIP (Temporal Key Integrity Protocol), or AES (Advanced Encryption Standard), with AES being the more secure of the two.

WPA-2 can be classified into two categories, WPA-2 Personal and WPA-2 Enterprise and the distinguishing factor here is the authentication scheme (EAP vs PSK). In most cases, home networks will implement a PSK scheme with WPA-2 Personal (utilizing TKIP or AES) while a business network will implement some form of EAP with WPA-2 Enterprise (likely utilizing AES). If you are not using a flavor of WPA-2 for authentication doing so should be the next item on your to-do list.

Which protocol am I using for my network?

If you are curious which protocol version you are using for your network, and after reading this article I hope you are at least curious, you can check by following these steps:

Windows:

  1. Open the start menu to search for “wifi” and then click on “Wi-Fi Settings”.
  2. In Wi-Fi Settings, click on your SSID (your Wi-Fi network name) to show details
  3. Now scroll down to view the options and locate the value for “Security Type”.

Mac:

  1. Click on System Preferences and then Network
  2. With Wi-Fi selected, click to show Advanced options
  3. Under the Wi-Fi tab, locate your Wi-Fi and its listed Security value.

Here it will tell you if you are connected using WPA-2 Personal or WPA-2 Enterprise (if it says WEP or anything other than WPA-2, you will want to update your settings on your access point immediately).

Whether you’re managing a business network or a personal home network, a good idea is to always remember the inverse relationship of security vs accessibility, because how you prioritize the two will dictate which scheme to implement. Though regardless of choosing EAP vs PSK, it is always most important to utilize the most current standards for encrypted traffic by ensuring your network is using some form of WPA-2.

Hopefully this article has been helpful so you can make confident and informed decisions when managing your wireless networks.

If you still have questions, feel free to contact Pulsar Security! We are happy to help.